how-to block ads
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| Re: Difference a year makes, good news, bad news said by jvmorris  :This is the part I found particularly interesting: . . . about 60% of all logged events of all traffic logged which includes both inbound and outbound traffic, are inbound scans and attacks Taken in conjunction with your earlier statement that you found over a 300% increase in the number of scans (over the past year), that would suggest to me that, within another year or so, the ratio of unsolicited scans to authentic traffic is gonna start approaching the proportion of spam to authentic e-mail! Maybe when the beancounters at the ISPs start realizing the costs of all the scans (in wasted bandwidth) they will finally decide to act jointly with other ISPs to put an end to it.
1) Start egress and ingress filtering and logging.
2) Start disconnecting users that have systems that are scanning (based on logs).
3) Charge a reinstatement fee for users that were disconnected for systems that were scanning (and SPAMMING).
4) Join together to put some serious pressure on OS vendors that have produced easy to hack systems that come by default with minimal security turned on.
Ohhh, never mind I just woke up and I am back to reality now... They will simply charge everyone higher connection fees. | |
|  
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| Re: Difference a year makes, good news, bad news I think there is a certain amount of ingress filtering, at least, being done by at least some ISPs. I did a quick check on the unsolicited inbound probes against my current IP address early this morning, fully 60% of them came from within my own Class B subnet, virtually all of which is (supposedly) residential/home DSL customers. So my ISP must be doing some sort of ingress filtering, at least. (I think Blake's experiences with Shaw(?) show an even higher percentage of users within his own subnet.
If it's now mostly within the subnet (as in my case), then more ingress and outgress filtering is unlikely to do much, I think. Of course, if my ISP simply shut down port 445 probes on its internal routers (within the subnet, that is) that would produce a 50% drop in the number of probes I'm seeing presently here. I don't think there's any practical reason why Port 445 traffic needs to be running around even within an ISP's subnet and that would undoubtedly have a certain impact on the load of the ISP's internal routers. (I've no idea how easy/difficult this is to do with that kind of router, which is far different from what we have in SOHO NAT routers, however.)
--
Regards, Joseph V. Morris | |
| | | |
|
